This page contains detailed technical specifications. For business decision-makers looking for outcomes and overview, see our main Services page.
AI Infrastructure That Won't Break or Get Compromised
Detailed technical specifications for IT teams, developers, and technical buyers. If you want OpenClaw setup details, VPS hardening specifics, or security audit methodology — it's here.
AI Agents & Automation — Secure-by-Design
Built to run in production. Controlled. Observable. Won't break at 2am.
You've seen what AI builders deliver: a workflow, a handover doc, and a wave goodbye. Then a token expires, a schema shifts, or an edge case loops the agent into burning your API credits — and there's nobody on the other end. Most AI automation is demo-grade shipped as production.
What I do
- ✓Guardrails defining exactly what the agent can and cannot do
- ✓Human-in-the-loop layer — risky instructions flagged before execution
- ✓Prompt injection defenses and input validation
- ✓Logging and observability — full audit trail of agent actions
- ✓Rate limits, fallback paths, and safe-mode triggers
- ✓Token expiry handling and schema drift detection
- ✓Security review of the full automation pipeline
What you get
- •Production-ready AI workflow with documented scope boundaries
- •Audit log configuration — every action traceable
- •Incident response procedure if the agent behaves unexpectedly
- •Monitoring setup so failures surface before they cost you
Need this specific service? Let's talk scope and timeline.
Incident Response & Malware Removal
Stop the damage. Find the real entry point. Close it properly.
The site's infected — maybe you know it, maybe your host flagged it, maybe Google blacklisted you overnight. The instinct is to run a plugin scanner, delete some files, and hope. That's how you get reinfected in two weeks. The cleanup has to go deeper than the symptoms.
What I do
- ✓Forensic analysis to find real entry point(s) — not just infected files
- ✓Identify and remove persistent backdoor shells
- ✓Clean malware and injected content across all affected areas
- ✓Fix vulnerable plugins, themes, and server configurations
- ✓WAF rules deployed to block known exploit patterns
- ✓File integrity monitoring configured post-cleanup
- ✓Full incident report: what happened, how, and what was closed
What you get
- •Cleanup confirmed with file integrity scan
- •Root cause documented — not just 'malware removed'
- •Hardening checklist applied
- •Monitoring configured so reinfection is caught immediately, not weeks later
Need this specific service? Let's talk scope and timeline.
Linux Server Security Hardening & Performance
Secure baseline. Optimised stack. Stays stable under real production load.
Random crashes, high CPU with no obvious cause, SSH with password auth still on, services running as root, no monitoring — this is the baseline state of most unmanaged VPS servers. It works until it doesn't, and when it breaks it breaks badly.
What I do
- ✓SSH hardened — key-based auth, root login disabled, port obscured
- ✓Firewall rebuilt deny-by-default with explicit allow rules
- ✓Fail2ban and intrusion detection configured
- ✓User access audited — least privilege, unused accounts removed
- ✓Kernel and sysctl tuning for production workloads
- ✓Web stack, database, and caching layer optimised
- ✓Log aggregation and real-time alerting configured
What you get
- •Hardened server with documented configuration
- •Performance baseline before and after — measurable improvement
- •Monitoring dashboard with alerting thresholds
- •Maintenance runbook so future changes don't undo the work
Need this specific service? Let's talk scope and timeline.
WordPress / WooCommerce Security & Optimization
Secured, optimised, and monitored — without breaking checkout.
Slow load times. Brute force login attempts in the logs. A plugin that hasn't been updated in 14 months. A database bloated with post revisions. WooCommerce running on a shared host that was never configured for eCommerce. Any one of these is a problem. Most stores have all of them.
What I do
- ✓Plugin and theme risk audit — vulnerable and abandoned extensions identified
- ✓WAF rules and brute-force login protection deployed
- ✓wp-config.php hardened, file permissions corrected
- ✓Database cleaned and optimised — revisions, transients, orphaned data
- ✓Caching strategy implemented without breaking cart or checkout
- ✓File integrity monitoring configured
- ✓Security keys rotated, admin accounts audited
What you get
- •Security hardening report with what was found and fixed
- •Load time improvement documented
- •Monitoring setup — file changes and login anomalies alerted
- •Recommendations for ongoing maintenance
Need this specific service? Let's talk scope and timeline.
Code & Configuration Security Audits
Find the risk before an attacker does — with a plan to fix it.
"We think we're secure but we're not sure." Usually said right before a fundraise, a big launch, or after a near-miss. The audit covers the infrastructure nobody looks at: secrets in environment files, permissions that are wider than they need to be, dependencies with known CVEs, headers that aren't set, logging that doesn't exist.
What I do
- ✓Auth and session management review
- ✓Injection risks and insecure defaults
- ✓Secrets handling — hardcoded credentials, exposed .env files
- ✓File permissions and access control audit
- ✓Dependency risk analysis — CVEs, abandoned packages
- ✓Security headers, CORS, and CSP review
- ✓Storage, backup, and logging configuration
What you get
- •Audit report with findings prioritised by risk (critical → informational)
- •Remediation guide — specific fixes, not generic recommendations
- •Re-test on request to confirm fixes landed
Need this specific service? Let's talk scope and timeline.
Email Security — SPF, DKIM, DMARC & Anti-Spoofing
Stop your domain being used to phish your own clients.
Someone is sending emails that look like they're from you. Your clients are receiving phishing attempts with your domain in the From field. Your legitimate emails are landing in spam. None of this is visible unless you're looking at DMARC reports — and most people aren't.
What I do
- ✓SPF record built and published — authorised senders only
- ✓DKIM signing configured across all mail streams
- ✓DMARC deployed with staged rollout: none → quarantine → reject
- ✓DMARC aggregate reporting configured for ongoing visibility
- ✓SMTP server hardened — relay access restricted
- ✓Deliverability review — inbox placement confirmed post-setup
What you get
- •Full SPF/DKIM/DMARC alignment confirmed
- •DMARC monitoring active — spoofing attempts visible
- •Staged enforcement plan if not moving to reject immediately
- •Guidance on what the reports mean and what to do with them
Need this specific service? Let's talk scope and timeline.
Need a specific technical scope?
Describe your infrastructure, stack, or security requirements. We'll scope it out and give you a concrete plan.
Response within 4 hours.